Feeds

back to article New vicious UEFI bootkit vuln found for Windows 8

Security researchers have discovered security shortcomings in Windows 8 that create a means to infect the upcoming operating system with rootkit-style malware. Italian security consultants ITSEC discovered the security hole following an analysis of the Unified Extensible Firmware Interface (UEFI), a successor to the legacy BIOS …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge
Facepalm

Some things never change

That is all

7
4
Silver badge
Stop

Re: Some things never change

"Some things never change " like the Captain f***ing Pugwash theme for all Reg sub heads this week. It's almost as bad as the obsessive compulsive "!" after every f***ing word in the title of an article referring to Yahoo.

Give it a rest, please, we're bored.

4
37
Silver badge

Re: Some things never change

Today is International Talk like a Pirate Day

14
0
Silver badge
Linux

Re: Some things never change

@Ledswinger

Not enough coffee or too much?

11
0

Re: Some things never change

I think he needs a hug! Come here, you scamp!

<Ruffles hair>

10
0
Silver badge
Windows

Re: Some things never change

"I think he needs a hug! Come here, you scamp!"

There's a poster that doesn't know me, and my impressively low personal hygiene standards.

But evidently "we're bored" was incorrect on my part. I'm f***ing bored of the "a'ha, me hearties" s****. Is everybody happy now?

1
9
Anonymous Coward

Re: Some things never change

Why don't you just avoid reading them then aaron?

0
0
Coat

Obviously this is on purpose

so SecureBoot must be enabled and it becomes that much harder to run Linux.

<- mine's the one with the conspiracy theory in the inside pocket

34
1
Ru
Pirate

Re: Obviously this is on purpose

Does make quite a good false flag operation, does it?

2
0
HMB

Re: Obviously this is on purpose

If you can't manage to go into your BIOS and change the secure boot to 'custom' or 'off', it really is best that you don't attempt to install Linux anyway.

There are around 2 billion computer users in the world. Around 1.8 billion Windows users would benefit from secure boot by eliminating traditional rootkits. It will slightly inconvenience 40 million, for the sake of 1.8 billion. Stop being so selfish.

(I'm having a competition for downvotes with this message so don't feel shy if you want to knee jerk)

13
21

Re: Obviously this is on purpose

If you can't manage to go into your BIOS and change the secure boot to 'custom' or 'off', it really is best that you don't attempt to install Linux anyway.

On the face of it you're correct, except that the BIOS doesn't have to have an off switch. Bit of a bugger then if you get a machine and find you can't turn it off.

I'd be happy with them mandating an off-switch (whether hardware or software) personally, but others obviously differ on this one!

7
1
Silver badge

Re: Obviously this is on purpose

"On the face of it you're correct, except that the BIOS doesn't have to have an off switch. Bit of a bugger then if you get a machine and find you can't turn it off."

You're in luck. Microsoft have required manufacturers to allow a physically present user to turn off Secure Boot on any x86 system. It's part of the specification that has to be met in order to receive a Windows 8 sticker.

3
1

Re: Obviously this is on purpose

The cynic in me wonders whether this will eventually be done via a hardware switch, inside the machine - requiring you to void your warranty if you want to install a "non-standard" operating system.

2
0
FAIL

Re: Obviously this is on purpose

Yes! I've! Just! Been Caught! OUT! by This! F%^cking! Madness!

Sorry about that - just couldn't resist annoying all those posters that are "F^&cking pissed off with every headline concerning Yahoo!"

Erhum.... Getting back on subject...

I've just been caught out by this unawares on my new Asus laptop (to replace my HP laptop that "fried" due to the well known design flaw. Upon trying to boo from the USB universal recovery stick (Yum, Ubuntu Live, etc.) only to discover that it no longer worked. I discovered that the laptop had all thie Uefi/MS lock (sorry, Secure Boot) crap on it - AFTER I had already added all my applications to the installation! I am now in the midst of the long drawn-out process of imaging the partitions to convert the primary drive to MBR so I can get back to normal and finish my multi-boot setup!

F^&^cking Microsoft! Grrrrr.......

2
3
Bronze badge

Re: Obviously this is on purpose

It is Microsoft's way of "enhancing its partners offerings"; by making sure that competing O/Ses are locked out, and that it will be difficult to install alternatives, or to upgrade the installed O/S.

It all boils down to this:

do we trust the OEMs to make it convenient for end users to

a) install their own keys for either alternative O/S installs (assuming the end user wants a "Secure Boot" experience), or

b) to allow to the end user to install keys for upgrades to the existing O/S

The reason why I mentioned "b)" is that without that capability, your desktop becomes essentially a "brick", and in order to upgrade the O/S, you may have to buy new hardware, and we all know that makes M$' hardware partners very happy. They must look at the cell phone market with envy - just look at all of those ilemmings who go out and splurge hard earned cash on the newest Jesus phone. Those greedy bastards (OEMs) want their share too!!

1
0
Pirate

It gets worse...

If you can load something nasty at the UEFI level, the OS doesn't matter, Linux, W8, whatever... also current Virus/Malware scanners stand no chance of detecting it.

13
0
FAIL

How long have they been designing this system?

And they STILL couldn't get it right. Jesus.

11
3
JDX
Gold badge

Re: How long have they been designing this system?

Who is they? Is UEFI MS-only, surely not?

5
2
Silver badge
Alien

Re: How long have they been designing this system?

So how long have you been designing this Faster-Than-Light drive? And you still can't get it working? Fucking pathetic!

2
6

Local Admin rights

This looked as though the command line had to be run as an administrator. If you take away the admin rights in the first place, your users should be fine right?

0
1
Anonymous Coward

Re: Local Admin rights

I think that was just because he was starting service, for which you need to be an administrator (usually.)

However I'm not sure where the problem is, is it a UEFI (ie: non-MS) or a Windows (ie: MS) problem? The whole point of UEFI is that if the OS has been compromised, it shouldn't allow it to load, so even if Windows allows its system files to be replaced, UEFI secureboot shouldn't let it boot.

3
0
Linux

We told you so

Secure boot was only ever about trying to stop Linux and introduce TPM style DRM and nothing to do with stopping nasties.

33
16
FAIL

Re: We told you so

Except if you read the article, Secureboot stops the attack!!!

8
5
Anonymous Coward

Re: We told you so

How dare you read the article instead of immediately posting an anti-MS comment!

No The Register 100% Approved Linux Bigot™ badge for you!

6
4
Anonymous Coward

Re: We told you so

While it may stop that particular nasty, if you think that Microsoft, with all the money they have and time they've had, were really concerned about stopping those nastys I'd have to say your wrong. Microsoft is far more concerned about stopping the usage of Linux on work and home computers. I use Linux Mint (Maya) and I can tell you that it works great, including with online (web delivered) games that my children, ages 5 and 7, enjoy. To recap - Linux works great, the OS doesn't get in your way and it's NOT Microsoft, hhhmmm, Microsoft must kill it. I wouldn't be surprised to learn that Microsoft and the UEFI knew about this long ago or even designed it into the software to shut out all other OSs.

3
2
Silver badge

Re: We told you so

"I wouldn't be surprised to learn that Microsoft and the UEFI knew about this long ago or even designed it into the software to shut out all other OSs."

You have a demonstrated attack that threatens any installed OS (Ubuntu, Windows, BeOS, anything), a countermeasure released by a specifications foundation made up overwhelmingly by hardware manufacturers which protects against it and which can be (and is) used by multiple OS producers (MS, Red Hat, Ubuntu) and somehow this becomes an attempt by MS and "the UEFI" (what the BIOS replacement running on my motherboard?) to shut out all other OS's?

3
1
Anonymous Coward

@h4rm0ny - Re: We told you so

Yep, it's a blatant attempt to shut out any unauthorized (by MS) OS. You want the proof ? All those hardware manufacturers under the visionary lead of Microsoft "wink wink" forgot to allow more than one encryption key so Microsoft is the only one who can decide what OS will run on a secure booted hardware.

Oh, and please stop mentioning RedHat and Ubuntu, their OS will run only if their boot loader is signed by Microsoft. As for computer OEMs neutrality, don't bother explaining it.

4
2
JDX
Gold badge
Flame

still vulnerable to the old attacks if the SecureBoot technology is not turned on by default

So turn it on by default then.

6
2

Re: still vulnerable to the old attacks if the SecureBoot technology is not turned on by default

Which is exactly what Microsoft require for certification and exactly what the Linux fanboys have been complaining about, saying it has no value.

1
12
Anonymous Coward

Re: still vulnerable to the old attacks if the SecureBoot technology is not turned on by default

But if it's turned on by default that means that MS are anti-foss and want to kill every other OS, it's nothing to do with security, just market domination, etc. etc. etc.

7
1
Silver badge

Re: still vulnerable to the old attacks if the SecureBoot technology is not turned on by default

Thing is, unlike on tablets, turning it on by default wouldn't be so big a deal...so long as you still have access to the ON/OFF switch!

2
0
Bronze badge
Boffin

Re: still vulnerable to the old attacks if the SecureBoot technology is not turned on by default

Which is exactly what Microsoft require for certification and exactly what the Linux fanboys have been complaining about, saying it has no value.

No, what the Linux ... er ... supporters have been saying (more or less) is that a system that can only boot Windows has no value (to them).

The Secure Boot feature of UEFI has the potential to make a PC much more secure (if it is turned on) but it also has the potential to be used to lock the hardware to boot only an OS signed by a particular vendor/distributor. Used sensibly it can provide security without lock-in, used as Microsoft want it provides security only for Microsoft OSes, and for other OSes whose binaries have been signed by Microsoft.

Secure Boot relies on cryptographic keys stored on the motherboard. When Secure Boot is enabled the UEFI firmware will only allow the system to boot from an image that has been signed using one of those keys. It's perfectly possible to design UEFI firmware that allows the user to install new sets of keys with which to verify signatures on different systems -- so if I wanted to run Ubuntu I'd install a key certificate published by Canonical, and so on. No such facility is mandated by the UEFI spec, but at least some UEFI implementations do support it.

There is a concern that malware might be able to add fraudulent certificates to the onboard store, but it would be possible to prevent this by fitting a physical switch that would have to be activated to enable certificate installation.

What some Linux vendors are actually doing is to provide their own bootloader which will be signed using Microsoft's keys (for which Microsoft will doubtless make a charge) and making that bootloader responsible for checking the signatures on the OS kernel that it subsequently loads. That's a bit simpler for the end user to deal with, but does mean that MS get paid a fee for the ability to run a non-MS OS.

10
0
Silver badge

Re: still vulnerable to the old attacks if the SecureBoot technology is not turned on by default

"and for other OSes whose binaries have been signed by Microsoft."

This part is wrong and the rest of your post follows from it. Red Hat asked MS to provide them a key because MS offered it cheaper than Red Hat could do it themselves. There's no requirement that a key be provided by Microsoft.

2
1
Silver badge
Childcatcher

Re: still vulnerable to the old attacks if the SecureBoot technology is not turned on by default

And while they are at it, turn on DEP/ASLR/SEHOP for everything too as default.

Oh and mandatory password for Admin accounts as default too.

Then that's most of it.

It's all there just MS always wimps out from turning all the security on.

1
0
Anonymous Coward

@h4rm0ny - Re: still vulnerable to the old attacks...

Now it's your turn to be wrong. Microsoft does not provide a key, Red Hat asked Microsoft to sign its boot loader with MS key. Reason is simple, you can not have multiple keys in UEFI. You will have either Microsoft key or your key (in case hardware manufacturer allows you to change it)

1
0
Pirate

Does that mean...

I can install a penguin based OS on a "Built for Windos" machine?

1
0
Silver badge

Re: Does that mean...

"I can install a penguin based OS on a "Built for Windos" machine?"

Your question shows a misunderstanding. UEFI is not Secure Boot. Secure Boot is a feature of UEFI. And Secure Boot actually prevents this attack so this is not an exploit that would allow you to bypass it and install a Linux bootloader. But your question is also a red herring as you already could if it's an x86 machine. Microsoft certification requires that the user be able to turn off Secure Boot which is all you need. On RT platforms you cannot turn off Secure Boot, but this isn't a work around for Secure Boot anyway, so it wont let you install an ARM Linux on a WinRT device.

1
1
Anonymous Coward

Colour me astonished

So Secure Boot is not secure when it is not enabled. Who knew?

9
1
Silver badge
Pirate

Re: Colour me astonished

Arr! It be Pirate Boots then!

2
0
Silver badge
Linux

"The UEFI boot loader developed by Allievi overwrites the legitimate Windows 8 UEFI bootloader, bypassing security defences in the process." -- AKA, support for linux

6
1
FAIL

Just how long before...

Just how long before some enterprising malware writer can fake a bootloader certificate? My guess is that if it hasn't been done (certainly by the NSA or other government spyware organizations already), it will be soon.

2
0

Re: Just how long before...

Faking any cert is easy. I've got.NET code on my hard drive that'll create any EV cert you like. The trick will be in faking the verification. A better question to ask will be whether verification can be faked in a sandbox.

2
1

Could this root a tablet?

I'm interested - not exactly sure how UEFI works yet, but does this mean:-

a. An UEFI enabled Windows PC could be "rooted" legitimately to enable a dual-boot?

b. A MS tablet with enforced UEFI could be legitimately rooted to enable an Android or Ubuntu install?

Also, is this exploit open source?

And before I forget, "Yaarr!"

4
0
Coffee/keyboard

Re: Could this root a tablet?

From reading the different specs, for the vast majority of Win 8 PCs, it will be possible to enable a dual-boot. As someone else already said, SUSE, RedHat, and Ubuntu all showed a working implementation of booting a PC with Secure Boot fully enabled.

As for turning off Secure Boot, the average Linux user can easily do that on just about any Win 8 Certified system. It was pretty clear from the early Win 8 development flame wars that Microsoft has no interest in using THIS to kill Linux.

It appears the WinRT ARM Tablets (and notebooks) will be extremely difficult to create a dual-boot version in the field, but then their hardware is are pretty different from the current Android tablets. I guess if you spent the time on creating a working Android, you might be able to figure out how to get it installed on a system.

1
1
Anonymous Coward

Re: Could this root a tablet?

You are kidding about Microsoft having no interest in killing Linux, aren't you?

1
0
Silver badge

Re: Could this root a tablet?

He's simply said Microsoft isn't interested in using Secure Boot to kill Linux. It would tick off too many people and be crossing a legal line in Microsoft's case since they don't own the UEFI code. That's why the PC versions require an ON/OFF switch, to show that Microsoft isn't coercing the OEMs. The tablets are another story because that is supposed to be a total-package solution that requires end-to-end protection. Different rules.

0
0
WTF?

This article is complete crap

Basically what it says is that the new security in Windows 8 can be bypassed unless the new security feature, i.e. secureboot, is turned on.

Well blow me, if you turn off the security feature that is designed to stop bootloaders then you can load a bootloader!!!

4
2
Anonymous Coward

Not again!

So when Microsoft after a decade of trial and error finally gets it right about security, they hand it over to a bunch of people who have no clue about security and best coding practice in general, the BIOS and firmware makers. I'm having a bit of hard time figuring out who are the real Muppets here.

1
1
Silver badge
Pirate

Re: Not again!

Is it the one on your right hand? Or left hand? Or both hands?

2
0
Anonymous Coward

AC: Not again!

Has Microsoft only been trying to secure their OS since 2002? Seems to me XP was a great improvement over earlier attempts, even as flawed as it was.

0
0

Page:

This topic is closed for new posts.